Community discussions

MikroTik App
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Is Vlans the answer or is there an easier way?

Thu Aug 16, 2012 11:01 pm

Hi,

I have two routers. RB2011 and RB751G. The rb2011 is not a wireless router. the r751g is. My goal is to set up a network where port 1 is where my internet connect into. ports 2,3,6,7,8,9 and 10 are all on the same network 172.16.0.0/24 ports 3 and 4 are seperate and use 172.31.0.0/24

now my port 2 on the rb2011 will go into the rb751G which for the most part will be used as a switch. However what i would like to do is have all the ethernet ports 1-5 be part of the 172.16.0.0/24 network that is coming from the rb2011 and i would like wht wlan to bepart of the 172.31.0.0/24 network that is also on the rb2011. I do not want these two networks to communicate with each other. however i do want both networks to have access to the internet.

Is what im looking to do here best resolved with vlans. or is there a better way to configure both the routerboards to accomplish this?

I am for sure a mikrotik beginner. hence why i chouse this part of the forum to post in. If i am incorrected please let me know and ill conform as needed.

Thanks in advance for any information and help. If i have confused you with my descripts please ask and i will do my best to explain it in a different manner.
 
vk7zms
Member Candidate
Member Candidate
Posts: 227
Joined: Thu Jun 29, 2006 3:01 am
Location: Hobart, Tasmania
Contact:

Re: Is Vlans the answer or is there an easier way?

Fri Aug 17, 2012 11:06 am

assuming you are using a bridge to join ether3&4 on the 2011 together, creat a VLAN on ether2 and add it to the same bridge as ether3&4. create the same VLAN on the 751 and add both the VLAN and the WLAN (or virtual AP) to the bridge.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 171
Joined: Sat Jul 28, 2012 5:21 pm

Re: Is Vlans the answer or is there an easier way?

Fri Aug 17, 2012 6:14 pm

Can you do a VLAN for two different subnets?

I'm a beginner too, but the way I would have solve this situation:

RB2011: port 1-WAN
port 2 link to RB751-LAN C (with another address assigned 172.20.0.1 for instance)
other ports either LANA or LANB as described

RB751: port 1: link to RB2011 - LAN C (172.20.0.2)
other ports either LANA or B

on each router you bridge all LANA together and all LANB together
You create two EOIP tunnel on each router from 172.20.0.1 to 172.20.0.2. Tunnel 1 is assigned to bridge LANA, tunnel 2 is assigned to bridge LANB

Then you just need two firewall rules to deny all forward from bridge LAN A to B and vice-versa

It's maybe a little bit overkill, but it looks easier too me. I'll appreciate constructive feedback.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Fri Aug 17, 2012 7:58 pm

assuming you are using a bridge to join ether3&4 on the 2011 together, creat a VLAN on ether2 and add it to the same bridge as ether3&4. create the same VLAN on the 751 and add both the VLAN and the WLAN (or virtual AP) to the bridge.
Yes I have 2 bridges. all ports except for port 4 and 5 are tied to bridge 1. and ports 4 and 5 are tied to bridge2. both of which are routing out the ether1-gateway. there is each bridge has its own dhcp-server handing out the proper subnet address. the ether1-gateway is a dhcp client. getting the address from the modem. the router is on port 2. so its not tied to the same bridge as ports 4 and 5.


would i still need to attach a vlan to bridge 2. and make a bridge on the 751g for the wlan and assign that vlan 2?
 
vk7zms
Member Candidate
Member Candidate
Posts: 227
Joined: Thu Jun 29, 2006 3:01 am
Location: Hobart, Tasmania
Contact:

Is Vlans the answer or is there an easier way?

Sat Aug 18, 2012 8:38 am

In your original post you stated ether 3&4 were on the separate subnet, but it looks like you meant 4&5.

VLAN between the two devices is simpler than EoIP solution and will have less overhead than routing traffic through a third subnet.

You could also bride WLAN to main subnet and create a virtual AP with a desperate SSID and for the WLAN bridged to the VLAN - giving you both subnets on WiFi
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1201
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Is Vlans the answer or is there an easier way?

Sun Aug 19, 2012 1:35 am

VLANs are used when you want to deploy separate services/subnets out of the same physical LAN segment. VLANs (At least the way MikroTik implements them) do not provide security between LAN segments as they typically meet at a routing point somewhere and will be able to communicate via Layer 3.

It sounds like you need a few firewall filter rules to isolate the subnets from each other. No need for EoIP or other complexities.
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Mon Aug 20, 2012 4:03 pm

I'm sorry. i did say 3 and 4. but did mean 4 and 5. Bascially every port but those 2 need to be on the same subnet and segrated from those 2 ports.

as for the suggestion about having wifi on both subnets that is not a valid option for this situation as we do not wish to have wifi access to that part of the network. thank you for the neat suggestion tho.


at this point i feel that i will need to dig back into the documentation as i am failing all over the place with getting vlans to work in generel. once i get get the configuration mostly set i will post up the config file for a better view of what is actually going on and maybe a diagram as well.

I will continue to tinker and report back. Thank you for all for the suggestions and feed back.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 12:26 am

Hi,

Okay I had to send out my last two routers with out a wireless configuration. Kinda sucks but i can remotely set it up later which is good. I had a long delay waiting for my shipment of routers to come back in to work on the configurations. so basically ive been reading over this page. http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN and im still not sure how to get it to be on the networks i want them on or how to impliment the vlan. here is some of my configurations

/interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1598 4074
1 R ether2 ether 1500 1598 4074
2 ether3 ether 1500 1598 4074
3 ether4 ether 1500 1598 4074
4 R ether5 ether 1500 1598 4074
5 ether6 ether 1500 1598 2028
6 ether7 ether 1500 1598 2028
7 ether8 ether 1500 1598 2028
8 ether9 ether 1500 1598 2028
9 ether10 ether 1500 1598 2028
10 R bridge1 bridge 1500 1598
11 R bridge2 bridge 1500 1598
[] /interface>

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether2 bridge1 0x80 10 none
1 I ether3 bridge1 0x80 10 none
2 I ether6 bridge1 0x80 10 none
3 I ether7 bridge1 0x80 10 none
4 I ether8 bridge1 0x80 10 none
5 I ether9 bridge1 0x80 10 none
6 I ether4 bridge2 0x80 10 none
7 ether5 bridge2 0x80 10 none
8 I ether10 bridge1 0x80 10 none

/interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 l2mtu=1598 arp=enabled
mac-address= protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

1 R name="bridge2" mtu=1500 l2mtu=1598 arp=enabled
mac-address= protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.16.0.1/24 172.16.0.0 bridge1
1 172.31.0.1/24 172.31.0.0 bridge2
2 D 192.168.1.176/24 192.168.1.0 ether1-gateway

Mind you. the 192.168.1.176 is just what im using as my sudo isp address :) as you can see i have 2 networks set up one on each bridge. and basically on this one single router. how would i set up a vlan so that everything on bridge one is vlan 1 and everything on bridge 2 is vlan2

after that i need to learn how to set up the other router which we be connected into the physical port 2 which is part of bridge one. and keep the ether-ports all part of vlan1. while making the wlan vlan2. while keeping dhcp for each of the pools i have set up with the current ip schema.


thanks in advance for the help. Im not asking directly to be spoon fed. not that i would refuse. however I do like to learn thats why ive been reading all the wikis as well.
 
vk7zms
Member Candidate
Member Candidate
Posts: 227
Joined: Thu Jun 29, 2006 3:01 am
Location: Hobart, Tasmania
Contact:

Re: Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 3:32 pm

ok - so ether2 on the RB2011, is already a member of bridge1 that you want the Ethernet ports on the RB751 to be a part of, so you need to do nothing but patch the two together for this part to work.

create bridge1 on the RB751 and add all the Ethernet ports to this bridge. Add a vlan with say vlan-id=2 to the ethernet port that is patched to the RB2011. Add a vlan with same id to ether 2 on RB2011

on the RB2011 add the vlan as a port of bridge2

on the RB751 create a second bridge and add the wlan and the vlan as ports

you get - all Ethernet ports on 751 bridged to the same ports as bridge1 on the RB2011, and the wlan on the 751 bridged to the ports on bridge2 on the 2011.

Is that what you were trying to achieve?
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 3:42 pm

you get - all Ethernet ports on 751 bridged to the same ports as bridge1 on the RB2011, and the wlan on the 751 bridged to the ports on bridge2 on the 2011.

Is that what you were trying to achieve?
Yes this is what im trying to achieve. What im not getting is the adding of ip addresses to the vlans. or is that not needed in this manner that your suggesting ?
 
vk7zms
Member Candidate
Member Candidate
Posts: 227
Joined: Thu Jun 29, 2006 3:01 am
Location: Hobart, Tasmania
Contact:

Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 5:30 pm

In this case the VLANs are members of bridges, so the ip addresses stay on the bridges. The 751 doesn't even need an ip address (except for management purposes)

Btw - in your first post you mention you didn't want the two private ip ranges to be able to route to each other. You will need to add firewall rules to RB2011 to prevent this
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 5:56 pm

In this case the VLANs are members of bridges, so the ip addresses stay on the bridges. The 751 doesn't even need an ip address (except for management purposes)

Btw - in your first post you mention you didn't want the two private ip ranges to be able to route to each other. You will need to add firewall rules to RB2011 to prevent this

I think i am following your suggestion. I have created a vlan. its called vlan-wifi and it has an id of 2 i have attached it to ether2 of the rb2011. I then added the vlan-wifi as a port on bridge 2 of the rb2011.

on the rb751 i also made the same vlan-wifi with id 2 and attached it to ether1-gateway which is where it connects to the rb2011. i then attached that vlan to bridge 2 along with the wlan.

however i am unable to draw an ip from the wifi so i am not able to connect to it. what am i missing ?

as for the 2 networks not talking to each other firewall rules shouldnt be that hard to deny that.

also i have added the ether1-gateway on the rb751 to bridge 1. then i slaved the other 4 ethernet ports to the ether1-gateway to kind of make a switch. pretty much if i connect anything with a cable to ether one it draws from the dhcp server on the rb2011. which is what i want. because any device connected gets a 172.16. address

if there is anything else that needs to be know plaese ask as i will provide that data i am not 100 precent sure which is the important data needed in order to help me resolve my issue.

Thanks again for the help

lastly the only ip address on the 751g is what i staticaly assigned via dhcp with mac address for port 1 from the rb2011 which is 172.16.0.2
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Tue Aug 28, 2012 6:37 pm

here is some of the config for the rb2011.


/interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan-wifi 1500 enabled 2 ether2

/interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:55:06:6A protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

1 R name="bridge2" mtu=1500 l2mtu=1594 arp=enabled mac-address=D4:CA:6D:55:06:6A protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m


/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether2 bridge1 0x80 10 none
1 I ether3 bridge1 0x80 10 none
2 I ether6 bridge1 0x80 10 none
3 I ether7 bridge1 0x80 10 none
4 I ether8 bridge1 0x80 10 none
5 I ether9 bridge1 0x80 10 none
6 I ether4 bridge2 0x80 10 none
7 I ether5 bridge2 0x80 10 none
8 I ether10 bridge1 0x80 10 none
9 vlan-wifi bridge2 0x80 10 none


/interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1598 4074
1 R ether2 ether 1500 1598 4074
2 ether3 ether 1500 1598 4074
3 ether4 ether 1500 1598 4074
4 ether5 ether 1500 1598 4074
5 ether6 ether 1500 1598 2028
6 ether7 ether 1500 1598 2028
7 ether8 ether 1500 1598 2028
8 ether9 ether 1500 1598 2028
9 ether10 ether 1500 1598 2028
10 R bridge1 bridge 1500 1598
11 R bridge2 bridge 1500 1594
12 R vlan-wifi vlan 1500 1594


here is some of the config from the rb571

/interface vlan print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan-wifi 1500 enabled 2 ether1-gateway


/interface bridge print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:27:83:93 protocol-mode=none priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:27:83:93 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

1 R name="bridge2" mtu=1500 l2mtu=1594 arp=enabled mac-address=D4:CA:6D:27:83:92 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m


/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 I wlan1 bridge2 0x80 10 none
1 ether1-gateway bridge1 0x80 10 none
2 vlan-wifi bridge2 0x80 10 none


/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1598 4074
1 ether2 ether 1500 1598 4074
2 ether3 ether 1500 1598 4074
3 R ether4 ether 1500 1598 4074
4 ether5 ether 1500 1598 4074
5 wlan1 wlan 1500 2290
6 R bridge1 bridge 1500 1598
7 R bridge2 bridge 1500 1594
8 R vlan-wifi vlan 1500 1594


edit: forgot the wirelss incase thats jacked up

/interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=D4:CA:6D:27:83:97 arp=enabled interface-type=Atheros 11N mode=ap-bridge ssid="NBC" frequency=2412 band=2ghz-b/g/n channel-width=20/40mhz-ht-above scan-list=default wireless-protocol=any
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default
compression=no
 
vk7zms
Member Candidate
Member Candidate
Posts: 227
Joined: Thu Jun 29, 2006 3:01 am
Location: Hobart, Tasmania
Contact:

Re: Is Vlans the answer or is there an easier way?

Wed Aug 29, 2012 3:07 pm

what interfaces are your IP addresses and DHCP-Servers bound to on the RB2011. and what interface is the DHCP-client bound to on the rb751
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Wed Aug 29, 2012 4:56 pm

what interfaces are your IP addresses and DHCP-Servers bound to on the RB2011. and what interface is the DHCP-client bound to on the rb751
dhcp client is on ether1-gateway of the rb2011. and the dhcp servers are assigned to the bridges. on the rb751g there is no clients it all acts like a switch for the most part.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Thu Aug 30, 2012 12:30 am

on a side note. i noticed that bridge 2 does not seem to connect to each other on the routers. however if i connect a cable from port 4 on the rb2011 to port 2 on the 751g and i put those ports on the respective bridges then i can attach the wlan to bridge2 and i get my seperate wifi from the ethernet ports. however this kinda defeats the purpose of having a vlan as it kills an extra ethernet port on each router. and ports are very limited.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Wed Sep 05, 2012 9:07 pm

Bump to see if we can get some more suggestions on how to configure this correctly.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Wed Sep 12, 2012 7:55 pm

So i have tried to put dhcp clients on the vlans. ive given them ip address. i tried several different things. i can not get any communications over the vlan. Please what am i missing here.
 
LarryG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Jun 19, 2012 8:09 pm

Re: Is Vlans the answer or is there an easier way?

Tue Sep 18, 2012 7:58 pm

Looks like ive lost the help that was around. wondering if i should repost the question in a different sub form. maybe this was to advanced for the beggingers section. i dont know.

i woul dlove to get this resolved or Ill beforeced to use different mikrotik products. bummer because these 2 fit the bill perfectly

Who is online

Users browsing this forum: DjM and 23 guests